Articles
Country guides
Understanding the updated ICO guidance on storage and access technologies under UK law
Country guides
new

Understanding the updated ICO guidance on storage and access technologies under UK law

Published  

7/7/2026

8
min read

Published  

July 7, 2026

by 

Ali Talip Pınarbaşı

10 min read
Summary

As cliché as it sounds, the answer to the question of whether you need to obtain consent for a specific cookie or similar technology under the PECR and the UK GDPR is “it depends”. 

Take a cashback reward program as an example. The cookies used to deliver that service to users might qualify as 'strictly necessary'  but only if they are essential to the service itself. The moment those same cookies also share data with third-party advertising partners, the exemption likely no longer applies, and consent will be required. This is the kind of nuance the ICO's updated Guidance is designed to help organizations navigate.

Furthermore, the Data Use and Access Act 2025, which came into force on February 5, 2026, introduced new changes to the cookie rules in the UK. Those changes include exempting certain cookies and similar technologies from the consent requirements under the PECR. 

Considering these factors, the UK Information Commissioner’s Office (ICO) revised its Guidance on the Use of Storage and Access Technologies, which was published on April 29, 2026. Overall, the new Guidance provides important clarifications related to the use of cookies, tracking pixels, and similar technologies by websites, mobile apps, and other online service providers. 

In this article, we will walk you through what storage and access technologies are, consent rules, exemptions from the consent requirement under the PECR, and how to obtain and manage consent in full compliance.

What are “storage and access technologies” under the PECR? 

The ICO’s new Guidance only applies to certain categories of online tools and technologies, as addressed in the second section of the Guidance. As noted by the organization, the PECR applies to technologies that are used for one of the following: 

  • A technology stores information on a user’s or subscriber’s terminal equipment, such as a computer, mobile phone, or tablet or;
  • A technology accesses information stored on a user’s or subscriber’s terminal equipment, such as a computer or a mobile app. 

For example, cookies, tracking pixels, and fingerprinting techniques fall under the scope of the PECR. Similarly, link decoration, web storage, and navigational tracking are also subject to the relevant PECR rules. 

As you can see, the PECR does not distinguish between different devices or online media, and its rules apply to websites, mobile apps, smart TVs, and other connected devices, such as IoT devices. In addition, the ICO explicitly notes that both server-side and client-side technologies are covered by Regulation 6 of the PECR. In other words, even if data is not stored on a user’s web browser or mobile device, such use will still fall under the scope of the PECR. 

What are the consent rules under the PECR?

Now that we have covered the scope of the PECR, let’s talk about the key rules that you need to comply with under the PECR. 

As noted in the new ICO Guidance, the key rule under the PECR is that you must obtain prior consent before storing or accessing information on users’ equipment, such as cookies, tracking pixels, or web storage, and you must provide users with comprehensive information about the storage and access technologies. 

In this section, we explain how you can comply with PECR’s consent and transparency requirements. 

Providing clear and comprehensive information to users/subscribers about the use of storage and access technologies

The ICO Guidance clarifies that if you use cookies or similar technologies to access information or store information on users’ devices, you must provide them with a clear and comprehensive notice containing the following details: 

  • Specific cookie or similar technologies you plan to use;
  • Your purposes for the use of cookies and similar technologies, such as tracking pixels and fingerprinting.
  • whether any third parties will store or access the information on the user’s device; 
  • Whether you will share information stored on user devices with third parties; 
  • For how long you plan on storing or accessing information. 

If you are wondering, this sounds too familiar to the GDPR transparency requirements, you are on point: As the ICO Guidance sets out, the UK GDPR’s transparency requirements apply to the information you must provide to users when you place cookies or use other technologies. 

Obtaining consent before the use of storage and access technologies. 

If you obtain consent to use access or storage technologies, you must comply with the UK GDPR’s consent requirements.

In its Guidance, the ICO sets out the specific requirements you need to adhere to when you ask for and obtain consent from users: 

  • Users must take a clear and positive action to give their consent to the use of cookies and similar technologies;
  • You must provide users with prior information about the use of cookies and similar technologies as listed above; 
  • You must provide identities and details of each specific third party whose storage and access technologies you are asking subscribers or users to consent to. 
  • Consent should be obtained before using storage and access technologies, meaning you cannot use technologies such as cookies for non-exempt purposes without user consent.
  • You should provide users with the opportunity to refuse the use of storage and access technologies for non-exempt purposes. 
  • You must ensure that refusal of consent shall be as easy as giving consent. 
  • You must enable users to exercise controls over any use of storage and access technologies for non-exempt purposes.

Given that you must comply with the UK GDPR’s consent requirements when you use cookies or similar technologies, getting familiar with the UK GDPR’s consent requirements is essential to your compliance efforts. 

You can read our practical guidance on UK GDPR here:

{{uk-gdpr}}

Five exceptions to the consent requirement

As we explained above, the PECR prohibits you from using access or storage technologies such as fingerprinting and tracking pixels unless you obtain GDPR-compliant user consent. 

However, there are five exceptions to these consent requirements. 

If your purposes for a specific access or a storage technology comply with one of these exemptions, you will be able to use them without prior user consent. 

Exemption 1: Communication exemption 

If the use of a specific cookie or a similar technology is a must for the transmission of a communication, you may rely on the communications exemption to use cookies or similar technologies without user consent. 

In particular, if your cookies or similar technologies are essential to achieve one of the following properties of electronic communication, you can rely on this exemption: 

  • route information over a network by identifying the communication ‘endpoints’ - devices that accept communications across that network;
  • exchange data items in their intended order; and
  • detect transmission errors or data loss. 

The new ICO Guidance states that Device fingerprinting techniques solely for network management purposes are likely to fall under the communication exemption. 

Exemption 2: ‘Strictly necessary’ exemption 

If the use of a storage or an access technology is essential to provide a service a user requests, you can rely on the “strictly necessary exemption” to place those technologies without prior user consent. 

However, the ICO Guidance emphasizes that you should consider the user’s perspective when determining whether an access or storage technology is essential to the service requested by the user. The ICO Guidance then lists examples of cookie use that may fall under this exemption, including user authentication, content streaming, and hosting embedded content. 

In contrast, the ICO Guidance states that online service providers, such as websites or mobile apps, cannot rely on this exemption to use cookies or similar technologies for advertising or cross-site tracking purposes. 

Exemption 3: Statistical purposes exemption 

The Data Use and Access Act 2025 introduced new exemptions that organizations may rely on to use cookies or similar technologies, provided that certain conditions are met. 

This exemption applies only if your sole purpose is one of the following: 

  • To improve your website by collecting information about how your website is used, with the purpose of improving your website. 
  • To improve your services by collecting information for statistical purposes about how your services are used, with the purpose of improving your website. 

Importantly, you must provide users with clear and comprehensive information about the purpose and a free and simple means to object. For example, if you collect information about the content your users spend time on to produce more content similar to it, this may fall under this exemption. 

However, the ICO Guidance explicitly states that this exemption does not apply to the use of collected data for secondary purposes such as making inferences about people. Additionally, you must aggregate the data you collected and not retain individual-level information. 

Last but not least, the ICO Guidance notes that you cannot rely on this exemption to collect information automatically emitted by terminal equipment, such as wifi probe requests. 

Exemption 4: Appearance exemption 

If you use storage or access technologies for the sole purpose of adopting the appearance or functions of your service in accordance with your user’s preference, or of improving the appearance or functionality of your website when displayed on or accessed by your user’s device, this exemption may be applicable. 

If this exemption applies to your use of cookies or similar technologies, you will still need to implement additional compliance steps. Those steps include providing users with clear and comprehensive information about the purpose of cookies, and offering them a free and simple way to object. 

For instance, if cookies help you remember users’ language preferences or implement responsive design by considering a user’s device dimensions, this exemption is likely to apply. 

On the other hand, this exemption does not cover the adoption of user consent based on the user’s interests or browsing history. 

Exemption 5: Emergency assistance exemption 

This exception applies where the sole purpose of the storage or access is to identify the geographical position of the subscriber’s or user’s device to provide emergency assistance.

How to obtain and manage consent in compliance with the PECR 

The new ICO Guidance offers detailed information on how organizations should obtain and manage user consent. 

In particular, websites, mobile apps, and other internet service providers should consider the following requirements:

  • You must obtain prior consent before placing or accessing cookies or similar technologies, unless an exemption applies.
  • You must inform users of the identities of all specific third parties who may use access or storage technologies to store or access information on their devices. 
  • You should carefully consider the use of banners, pop-ups, message boxes, header bars, or similar methods, particularly regarding their impact on the user experience.
  • You should ensure that electronic consent requests are not unnecessarily disruptive.
  • You must provide users with granular consent options for each purpose of using cookies or similar technologies.
  • You need to take a holistic approach when determining the duration of consent.
  • If you introduce new storage and access technologies for a different purpose than what you originally stated when consent was granted, you must obtain fresh consent for the new technology or purpose.
  • If you use a consent management platform (CMP) provider to obtain and manage user consent, you must consider the controller/processor roles each party holds under the UK GDPR, as well as the parties’ responsibilities. 
  • Given that the five exceptions provided under the PECR are purpose-specific, it can be challenging to use ‘multi-purpose’ storage and access technologies.
  • You must provide users with a mechanism to withdraw their consent that is as easy as giving it. 

In summary, the ICO's April 2026 Guidance reinforces that consent remains the default requirement for cookies and similar technologies, with only narrow, purpose-specific exemptions available. 

Organizations should audit their current use of storage and access technologies against each exemption carefully, ensure their consent mechanisms meet UK GDPR and PECR standards, and take note of the significantly increased PECR penalties.

How Didomi can help comply with the ICO guidance on cookies and similar technologies

Unless one of the exemptions we listed above applies, the only other option you have to use storage and access technologies like cookies or fingerprinting is UK GDPR-compliant consent. Even if you rely on the “statistical purposes” or “appearance” exemption under the PECR, you will still need to offer users a free and easy way to object to the use of cookies or similar technologies. 

In addition, the requirement to provide users with clear and transparent information about the use of cookies or similar technologies requires websites, mobile apps, and other online service providers to establish and implement an end-to-end consent solution to obtain and manage user consent. 

If you are looking for a comprehensive consent solution to help you obtain and manage consent, learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the UK, EU, and worldwide, and discuss your challenges with one of our experts:

{{talk-to-an-expert}}

Frequently asked questions (FAQs) 

What are the storage and access technologies under the PECR and the new ICO Guidance on the use of Storage and Access Technologies? 

Cookies, tracking pixels, and fingerprinting techniques fall under the scope of the PECR.  Similarly, link decoration, web storage, and navigational tracking are also subject to the relevant PECR rules. 

What are the five exemptions to the consent requirement under the PECR? 

The PECR prohibits you from using storage or access technologies unless you obtain users' consent. However, there are five exemptions to the consent rule: “Communication exemption”, “strictly necessary exemption”, “statistical purposes exemption, appearance exemption, and emergency assistance exemption. 

Does the PECR apply to organizations outside the UK? 

Unlike the UK GDPR, the PECR does not set out specific rules for organizations based outside the UK. However, if you are based outside the UK and process personal data via cookies or similar technologies, the UK GDPR may still apply to your use of these technologies. 

The author
The authors
Ali Talip Pınarbaşı
Freelance writer
London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London, advising businesses on how to comply with data protection laws.
Access author profile
Ali Talip Pınarbaşı
Freelance writer
London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London, advising businesses on how to comply with data protection laws.
Access author profile
Access author profile